The joy of open, agile government security compliance

Jul 31, 2019 · 2 min read

At DrupalGovCon 2019, CivicActions’ Chief Information Security Officer Fen Labalme shared how to transform the cumbersome process of security compliance by using agile methods and automation. Fen knows that security is especially important for our government clients, and believes that the existing culture of compliance doesn’t have to be a barrier to transforming the way they deliver digital services to the public.

In this session, Fen talks about strategies to automate the process of creating a System Security Plan (SSP), documentation that is required to be granted an Authority to Operate (ATO). By creating a shared library of reusable security controls organized by high-level system components, we’re helping agencies build systems that are both compliant and more secure.

Watch Fen Labalme’s talk at DrupalGovCon, July 2019.

“Compliance is not security — compliance is check boxes. I am building systems that are secure as well as compliant.”— Fen


  • 1:00 — An overview of Fen’s involvement in IT security — starting in 1977!
  • 5:25 — All about security compliance for government: FISMA and ATOs
  • 9:50 — Why compliance is not security
  • 11:50 — How the government is updating risk management
  • 15:00 — Why System Security Plans and ATOs are still too static
  • 15:50 — Making security agile
  • 16:15 — Automating the creation of a System Security Plan (SSP)
  • 19:30 — Tools to share control information
  • 20:30 — Creating a reusable library of components for each system
  • 20:52 — Making machine readable open control for easy automation
  • 25:00 — Modules that can help automate Drupal security compliance
  • 26:14 — How to avoid writing another ATO ever again
  • 32:50 — Using automation for continuous authorization
  • 34:00 — Good practices to promote a culture of security
  • 36:45 — CivicActions security team’s continuing efforts to automate security — and share our work with others


Connect with Fen


Open and Agile Government Digital Services

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store